Naavi.org

India that is Bharath is waiting for the elections to be over and for Mr Modi to come back with a thumping majority. The DPDPA 2023 which was notified with presidential assent needs to be activated within the 100 days plan for which we wish that Rajeev Chandrashekar will be back as the IT Minister.

We can expect that just as the work in progress rules was leaked some time back some body in MeitY is working on the rules.

It is our duty to bring to the notice of the team working on the rules some of our concerns and suggestions.

As per Section 40, at least 25 new rules need to be formulated. Out of these the following 5 rules appear to be of key importance. We would like to propose our suggestions regarding the above.

Legacy Data:

Since it is expected that a large number of legacy data principals may not be reachable and may not respond to the new notice, the rules should prescribe the “Reasonable Period” after which the permission is deemed as “Withdrawn”.

The Act now simply states…

“the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.”

This is not in consonance with the spirit of the Act and it cannot be construed that the data can be used for an indefinite period under the excuse that the data principal did not withdraw the consent. It will also be in conflict with the obligations under Section 8(3) to ensure that the data used for processing is “Complete” and “Accurate”.

Also the principle under ITA 2000 is that any privacy policy needs to be renewed not later than one year which therefore becomes an expiry period for the consent in the absence of any other parameter.

The period of 1 year however appears unreasonable in the context of DPDPA 2023. A more reasonable period has to be prescribed and in our view it should not be more than 3 months.

Significant Data Fiduciary

The definition of “Significant Data Fiduciary” could be by far the most important rule to be notified and it is necessary that the Government thinks seriously of the suggestions made in our precious article.

The essence of this suggestion is that the “Tag of Significant Data Fiduciary” is not to be associated with an enterprise as a whole but to specific processes. Under DGPSI, we group processes based on the sensitivity and this should also determine the Significant Data Fiduciary status.

The operating part of the suggestion is to add the following explanation in the rules:

“The term ‘class’ under Section 10(1) of the Act for the application of this rule also applies to any class of personal data process/es that an entity may use where the risk, sensitivity and volume of personal data processed exceeds a specified threshold”

Nomination

If “Nomination” is considered as “Transfer of ownership of an asset on the death of a person” and applied to personal data as a property, then it will be difficult for the Data Fiduciaries to obtain consent through electronic means. We are aware that law does not consider “Nomination” as “Transfer of property” and hence the rights of legal heirs is not affected by the presence of nomination in favour of a person who is not a legal heir. However common people may not be aware of this and may consider “Nomination” as “Bequeathing of property”. If this concept is recognized then electronic consent form cannot be used to register “Nomination” because of Section 1(4) of ITA 2000.

To honour the legal principle that “Nomination” is a procedural convenience adopted by an asset owner to transfer the property to a trusted agent of the property owner for further transfer to legal heirs, an explanation needs to be added as follows.

” Nomination for the purpose of Section 14 of DPDPA 2023 means transfer of custody of personal data and associated digital property in the hands of a data fiduciary to a person designated by the data principal for eventual distribution to the legal heirs. The data fiduciary shall be considered as discharged from his liability of disposal of the digital assets if the custody is properly handed over to the designated nominee”.

A separate procedure for claim settlement can be prescribed for this purpose (Refer to earlier articles in Naavi.org on digital data of deceased.

Consent Manager

The definition of “Consent Manager” is another area where the Meity may be stuck to their current DEPA framework and needs to think differently. This aspect has also been discussed by Naavi.org earlier and a case has been made out that “Consent Manager” under the Account Aggregator concept is different from the “Special Data Fiduciary concept of a consent manager” used in DPDPA. There is also a need for a very strict application of “Fit and Proper” criteria for registering Consent Managers.

If this aspect is neglected, we can see a major scam of theft of personal data for which the negligence of rule makers would be responsible.

Data Auditor

The rules regarding the credentials of a “Data Auditor” is another area of concern where vested interests can play havoc.

I would welcome Meity to introduce its own accreditation of Data Auditors through an open examination and should refrain from using the terms “All Cert In Accredited Auditors shall be considered as deemed to be qualified to be data auditors under the DPDPA 2023”.

Meity can use the guidance available under FDPPI’s C.DPO.DA. Certification course or DGPSI as a framework to structure the accreditation examination for Data Auditors.

The model adopted by MCA in accrediting Independent Auditors or the Law department in accrediting Patent lawyers can be followed for this purpose. The essence of these models is that the Government has a certain norm of an examination and trainings are conducted by different private bodies and not restricted to any one agency as a “Deemed Expert”.

Naavi

A trend is developing where some schools are using humanoid robots in teaching. While there is no doubt that the humanoid robot can be a store house of actual knowledge particularly in our educational system based on a specific curriculum and examination pattern based on learning from text books, the psychological impact of a machine teaching an young mind is perhaps needs to be researched.

If there can be a psychological impact of lack of biological parents for abandoned children, adopted children, single parents etc, there is a possibility that the teacher being non-human may also have its own impact psychologically on the children which perhaps may become evident not now but after another decade.

Do children look forward to an emotional support from the teacher apart from guidance on the topic? A study can be made in schools while some teachers are more popular with the students than others and why some students thrive better under one class teacher than the other.

While I am not inclined to go into the details of how a student may feel being taught by a robot instead of a human teacher as it is a core psychological subject, as some body observing the development of technology and its effect on the society, I am uncomfortable with the impact that the humanoid teacher may have on the development of a student particularly in the primary and middle educational level.

Many of the students are actually averse to learning and only when the teacher presents the concepts interestingly in the form of exercises, activities etc., are able to learn. Will a robot be able to perform similarly?

Can the robot express empathy and understand from the look of the child that today his/her mother must have scolded him or he has some other concern on the back of his mind and is unable to focus? It is doubtful that except a sentient robot others may not be able to come any where near the experience of learning from a human.

Further students in class learn not only about the subject but also about life. In this respect only a human teacher can evoke empathy even in the student who can see his mother in the form of teacher which is unlikely to happen in the case of a humanoid robots.

I wish some psychology student does a research on this subject and come up with some insight on this topic.

Naavi

In the DPDPA 2023, when the rules are notified, one of the most important aspects which the industry is looking forward to is the notification under Section 10(1) on the identification of a Significant Data Fiduciary.

The “Data Fiduciary” (DF) is an entity that determines the purpose and means of processing of personal data as distinguished from the “Data Processor” who processes the personal data under the instruction from another entity which determines the purpose and means.

There are some instances when one organization determines the purpose and then engages another organization which has full control on the means of processing for the given purpose. In such instances both organizations become “Joint Data Fiduciaries”.

Once this distinction is determined an organization needs to determine whether they are “Significant Data Fiduciaries” or not.

If volume is a criteria there could be many processors who become “Data Fiduciaries”. Firstly  since they manage proprietary processing technologies they may become joint Data Fiduciaries. There after, they may become “Significant Data Fiduciaries” since as processors for many Data Fiduciaries, the cumulative volume they handle may exceed the thresholds even if the vendors themselves may operate at low volumes. 

In other words, in today’s chain of processors, the sub contractor (Who is today referred to as a data processor) could be a “SDF” while the main contracting party may be only a “DF”.

Many cloud service providers will fall into the category of SDF where as their users may not be.

It is possible that the determination of when a DF becomes a SDF is not determined only on the basis of “Volume” but also on “Sensitivity”. Sensitivity (including processing of children data) itself is based on the “Risk to the Data Principal” and hence the criteria for determination of SDF status may depend on Volume-Sensitivity-Risk combination.

It is also possible that without consideration of “Volume”, some factors such as  ‘Risk’, as well as the ‘impact on sovereignty and integrity of India’, ‘risk to electoral democracy’, ‘security of state’ or ‘public order’ may be considered as independent criteria under which an organization may be classified as SDF .

Hence the primary criteria for identifying SDF status is the “Risk status of Processing” and volume becomes a secondary factor.

The term Data Fiduciary used in DPDPA is similar to the term “Data Controller” under GDPR and hence it would be natural for many to interpret DF from their knowledge of a Data Controller under GDPR.

The current interpretation of Data Controller is that “An Organization is a Data Controller”. If the same is applied in India, an “Organization” becomes a “Data Fiduciary”.

I would however like to challenge this concept of the status of Data Fiduciary being assigned to an organization.

Most of us today accept that an organization is some times a data controller and some times also a data processor. Significant Data Fiduciary is considered another status with special obligations. We identify this as the “Trinity Principle” where an organization can be any one of these categories for compliance purpose.

This “Trinity” principle of an organization seems to remind us of the famous Heisenberg principle of uncertainty  applicable to light and matter.  The Trinity principle states that an organization in the context of Data Protection context may exist in any of the three states of Data Fiduciary, Significant Data Fiduciary or Data Processor and the controls have to be applied accordingly.

These three different categories of status of an organization adds uncertainty to when the organization should designate a DPO or appoint a DA or when it has the obligations under Section 9. 

It is for this reason that the DGPSI (Data Governance and Protection Standard of India) adopts the principle that

“Every Organization is an aggregation of multiple processes”.

This principle of DGPSI is related to the Trinity principle of  categorization of compliance entities and makes it easy to recognise that in one process the organization may be a Data fiduciary and in another a Data Processor. By the same logic, in one process an organization is a “Significant Data Fiduciary” and in another, simply a “Data Fiduciary”.

Thus an organization is like a “Trinity” and in terms of compliance may need to be a Data Processor some times, Data Fiduciary some other times and Significant Data Fiduciary some other times. This can be identified and tagged if we break up an organization into processes of personal information for compliance.

Unfortunately, GDPR did not visualize this possibility and the DPDPA 2023 at the level of he Act has also not visualized this possibility.

However, while framing the rules, it is possible for the Government to bring in this “Trinity Principle” and distinguish our law from the rest of the world.

The Section 10(1) provides an option to notify either any “Data Fiduciary” or a “Class of Data Fiduciary” as a SDF and the Government can use the “Class” as a sub category of a DF and link it to a process.

For example, (after stating the general criteria for determining the data fiduciary), it may state

“The term ‘class’ under Section 10(1) of the Act for the application of this rule applies to any class of personal data process/es that an entity may use where the risk, sensitivity and volume of personal data processed exceeds a specified threshold”

I hope the Meity incorporates this principle when the rules are notified…..

Naavi

Also refer: Why Not “Significant Data Fiduciary” be Process Centric

As India awaits for the 2024 Lok Sabha elections to be completed and for the new Government to take charge, many of the long pending suggestions of Naavi are likely to find place in the immediate 100 day implementation plan of the next Modi Government.

One such thing is setting up of the National Cyber Security Agency (NCSA). Another focus area is the control of mobile crimes and introduction of the “Calling Name Presentation (CNAP).

The NCSA will likely to be the umbrella organization for managing Cyber Crime prevention.

Refer Economic Times article here

The NCSA needs to function with a “Cyber Space Jurisdiction” cutting across the State Police Jurisdictions and take over many of the intra state Cyber crimes which have given raise to many mafia centers in Bharatpur, Nuh etc. where criminals are unable to be controlled by the state police for various reasons. Similarly, CNAP should significantly reduce the vishing frauds.

We need similar law and procedure to ensure that E-Mail sender’s identity and domain name identity is also displayed. Without waiting for Google and Proton mail to introduce such systems, NCSA itself should introduce a “Digital Identity Gateway” which should be integrated with the browser and email clients and display the sender identity or domain name registrant identity.

Appropriate consent can be made available by the user of the service  without infringing on the Privacy .

Hopefully the rules of DPDPA 2023 will also be released during the same time. Naavi.org may publish a document shortly on the 26+ required notifications that the Government needs to make to indicate that it is not an insurmountable task any way given the intentions.

There is also a proposal for NFIR (National Financial Information Registry Bill). This should change the current non compliant system run by CIBIL and other rating agencies under the Credit Information Companies (Regulation) Act 2005 which has conveniently facilitated siphoning off of lakhs of crores worth of data of Indian Bank customers to USA. RBI has in its certification system failed to monitor the activities of these companies and today TransUnion a US Company is the owner of TransUnion CIBIL and personal information provided to Bankers for the purpose of a loan/credit card is without proper consent  shared with the US entity. This should stop and the new Act is an opportunity to correct this monumental mistake.

Naavi

The Delhi Chapter of FDPPI is conducting a workshop on DPDPA 2023 Implementation Challenges & Framework, on 12^th May 2024 in New Delhi.

This will be a day long workshop which will cover the DPDPA and its applicability, how GDPR & ISO 27701 certified companies can adopt DPDPA, CXO Insights implementation guidance and framework.

This is an excellent opportunity to interact with the community of privacy professionals and gain more insights. The workshop will be led by Mr. Na.Vijayashankar (Naavi), Chairman, FDPPI and Mr Ramesh Venkataraman,  Director, FDPPI.

The workshop cost is INR 11,000/- (with GST) which includes the course content, lunch, and beverages at the venue.

Early bird offer till Apr 22, 2024 – 15% discount

Group enrolment of 3 or more –  20% discount

Register at https://forms.gle/SSWsV1W3pHWbkgbV9

For queries, write to delhi@fdppi.in/ fdppi4privacy@gmail.com

Naavi/FDPPI is organizing events on Compliance of DPDPA at multiple centers for different audience.

Since January, one day events were held in Pune, Mumbai, Ahmedabad and Kolkata.

Now the following events are planned.

13th April 2024: Hyderabad (CIOKLUB members only)

11th May 2024: Delhi (CIOKLUB members only)

12th May 2024: Delhi (Open paid event)

18th May 2024 : Coimbatore (CIOKLUB members only)

The one day programs will cover DPDPA law and Implementation through DGPSI framework.

Interested persons who would like to attend the May 12tth event may contact FDPPI. Any other organization which may like to conduct programs for their members may also contact FDPPI.

Naavi